An Inside Look at Hacker Business Models

The industrialized hackers are intent on one goal--making money. They also know the basic rules of the business of increasing revenues while cutting costs. (Part IV In a Series on Cybercrime. Read Part I, Part II, Part III)

As hackers started making money, the field became full of “professionals” that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like?

Hacker Business Models

The industrialized hackers are intent on one goal--making money. They also know the basic rules of the business of increasing revenues while cutting costs.

Increasing Revenue

Data has become the hacker’s currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim—so you automate. But an interesting variation has emerged. A few months ago, Imperva’s ADC research team witnessed a phishing campaign which employed such a business model. In this scheme, a master hacker wrote a phishing toolkit for other hackers to use. The “proxy” hackers downloaded the kit, chose a phishing site using a simple GUI dashboard and, just like that, the proxy hackers were good to go. The popularity of the kit soared, since, as opposed to traditional phishing setups where hackers are required to set up and allocate storage for the data collection, this kit offered to remove that back-office work from the “proxy” hacker. The master hacker had actually provided with his kit “cloud storage” for the fraudulently obtained credentials. The credentials, once retrieved, would go to the cloud storage and reside in a location allocated only for the single “proxy” hacker. Controls were set such that one proxy hacker could not access the allocation area of another proxy hacker. The proxy hackers could continue with their attacks without every worrying about being cheated out by a fellow hacker. But this kit had a twist: although access to the credentials storage was secured from the eyes of fellow proxy hackers, this was not the case with the master hacker. A backdoor on the storage system allowed the viewing of all these credentials by the master hacker who wrote the kit. In reality then, all the proxy hackers were each gathering the credentials for the master hacker! Now consider the scenario – assume each proxy hacker gains a dozen credentials. And a thousand hackers have downloaded the kit – that’s already over 10K worth of valuable data without the master hacker ever needing to dirty his hands with the actual target! In fact, the master hacker boasted some 200K downloads. This number may surely be exaggerated, but the point is clear - it is widely in use.

Cutting Costs

Similarly to any organization, hackers want to tighten their belt on budget spending. Time is money, even hacker time. So instead of re-developing the wheel, hackers are looking for already-existing tools which they can re-use. Templates and kits exist for just about every kind of attack. For example, the phishing kit downloaded by the proxy hackers as mentioned earlier. Off the shelf kits are not the only way to cut costs. Different technology solutions are deployed to cut the costs of storage and hosting. We saw how hackers were lured to use cloud technologies for their backend data collection. But they are also using free hosting providers. In a XSS attack campaign, the hacker was storing all the stolen credentials on such a free hosting site. Digging deeper and the researchers found that the hosting provider was servicing in a similar manner numerous cyber-thieves.

Another cost-cutting method is to increase the capacity of each attack. This is one of the reasons why controlling servers are so appealing to hackers. Utilizing the server’s resources – for example, network bandwidth and CPU – a stronger attack impact could be performed. In fact, a recent Distributed Denial of Service (DDoS) attack was achieved by employing servers in the attack campaign.

Marketing

What’s the point of having a state-of-the art hacker tool if no one is going to use it? For this the hackers turn to the marketing department. The aforementioned phishing kit was advertised in different underground hacker forums. But even more mainstream venues are used. For example, last month Damballa uncovered the IMDDOS botnet. The operators of the botnet had actually set up a public facing Web site offering their service - performing a Distributed Denial of Service (DDoS) attack against the target of the user’s choice. All the user had to do was to go to that certain website to subscribe to the service.

Like any successful business, it is not enough to just advertise. To really penetrate the market, you need to show you know your stuff. And hackers are even using YouTube as a channel to promote their skills. Video tutorials of hacks are common. For instance, a YouTube tutorial of an XSS attack was uploaded to YouTube in 2007. The 2010 XSS attack campaign mentioned earlier, used nearly identical steps to perform the attack.

Advice

• Study the hacker business model – Understanding these models allows the security industry to focus their controls on the problem itself, rather than on the symptom. Up until now, many phishing-targeted companies (banking applications, retails, webmail, etc) were taking off the malicious sites, one URL at a time. But that’s an endless game: given that hackers only need to repost the Web front end with a new URL, they’re back in business within a few clicks. However, when the business model is understood, namely, that hackers are fool-sourcing their attacks, these organizations can locate the brain and heart of the malicious operation. Removing these vital organs, and the hacker activity is slowed down as these proxy hackers look for another kit and storage.

• Educate yourself on the way of hackers - Study the techniques used in order to put the necessary controls to protect your system against different classes of attacks. Remember the 2007 tutorial? Watch and learn!

• Blacklist known “hacker”-servicing hosting providers - if an IP address belonging to a hosting site known to be used by the hacker, consider blacklisting it. But here is also a message to free hosting sites - be more vigilant as to who is using your services.

Coming Up Next – Technologies Hackers Are Using

Understanding the business models the hacker industry is developing is paramount for knowing how to apply the correct protection. But in order to be one step ahead of the hackers, it is required to know the technologies that hackers are using. So stay tuned as I turn to the emerging hacker technologies!

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.